Louisiana has brought some of its services back as it recovers from a targeted ransomware attack using the Ryuk malware on November 18. The state's Office of Motor Vehicles re-opened offices on Monday in a limited fashion. But OMV and other agencies affected—including the state's Department of Health and Department of Public Safety—are facing a number of potential hurdles to restoring all services, according to people familiar with Louisiana's IT operations.
The ransomware payload was apparently spread across agencies by exploiting Microsoft Windows group policy objects—meaning that the attackers had gained access to administrative privileges across multiple Active Directory domains. This is symptomatic of TrickBot malware attacks, which uses GPOs and PsExec (a Microsoft remote administration tool) to spread its payload.
This is the second major cybersecurity incident this year in Louisiana tied to Ryuk ransomware. In July, Governor John Bel Edwards declared a state of emergency and deployed the state's cyber response team to assist seven parish school districts. There have been many other Ryuk attacks this year that have used TrickBot and, in some cases, the Emotet trojan—an attack referred to by some experts as a "Triple Threat" commodity malware attack. At least two Florida cities and Georgia's Judicial Counsel and Administrative Office of the Courts were also hit by "Triple Threat" attacks.
In October, the Federal Bureau of Investigation issued a warning of increased targeting by ransomware operators of "big game"—targets with deep pockets and critical data that were more likely to pay ransoms to restore their systems. The past week has shown that warning was for good reason.
On November 18, a ransomware attack caused Louisiana's Office of Technology Services to shut down parts of its network, including the systems of several major state agencies. These included the governor's office, the Department of Health (including Medicare systems), the Department of Children and Family Services, the Department of Motor Vehicles, and the Department of Transportation. Louisiana Governor John Bel Edwards activated the state's cybersecurity response team.
Today, we activated the state's cybersecurity team in response to an attempted ransomware attack that is affecting some state servers. The Office of Technology Services identified a cybersecurity threat that affected some, but not all state servers. #lagov#lalege
While some services have been brought back online—in some cases, within hours—others are still in the process of being restored. Most of the interrupted services were caused by "our aggressive actions to combat the attack," according to Louisiana Commissioner of Administration Jay Dardenne. "We are confident we did not have any lost data, and we appreciate the public's patience as we continue to bring services online over the next few days."